Popular online card and board gaming website VIPGames exposed the personal information of tens of thousands of users by failing to secure an Elasticsearch server that stored thousands of user profiles and 23 million data records.
Owned by Casualino JSC – a Bulgarian subsidiary of Zariba Group, VIPGames is a popular card and board games website with over 20,000 daily active users and offering games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo, and Yatzy. Casualine JSC is also the developer of other online games such as VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.
Earlier this week, security researchers at WizCase, a firm that evaluates cyber security tools and products such as VPN products and antivirus solutions for the benefit of consumers worldwide, discovered an Elasticsearch server owned by VIPGames that could be accessed by anyone with the URL of the server.
The researchers found that the server stored vast amounts of personal information of the website's users, amounting to 30GB of data that included 66,000 user-profiles and 23 million data records. These data records included usernames, emails, device details, IP addresses, hashed passwords, Facebook IDs, Twitter IDs, Google IDs, in-game transaction details, bets, and details regarding banned players. None of the stored data records were encrypted.
"If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation," WizCase said, adding that the threat faced by gaming platforms is quite high as they routinely experience multiple attacks from hackers, sabotage from competing platforms, and intra-platform attacks by players targeting the Internet connections of rival users.
The researchers also discovered that VIPGames.com encrypted users' passwords with a Bcrypt hashing algorithm, the tools to crack which already exists in cyber crime markets. If hackers crack these passwords, hackers can use the stolen passwords to launch credential attacks on other online platforms as many gamers use the same password across many websites and apps.
Soon after WizCase announced the massive data leak, VIPGames issued a statement via its website, stating that the misconfiguration was resolved in less than two hours after it was reported to the company.
"Their report brought to attention an Elasticsearch server misconfiguration that occurred with one of our servers that was part of our backup log and stored user data older than six months. The event took place on October 5th, and it was resolved within two hours by our team.
"Sensitive information was not compromised during the aforementioned time frame. User IDs, transaction IDs, and social tokens only make sense in our application and can not be used to trace or uncover the identity of the user that was registered or banned by us," the company said.
"We would like to clarify that this was a temporary misconfiguration, NOT an attack, hack, or breach. There are no records of any data being leaked. This misconfiguration was disclosed to us by a team of white hat penetration testers.
"We, the VIP Games team, would like to extend our thanks and apologies for the minor lapse, and to assure everyone that we have taken all necessary steps to resolve the issue. We have conducted a comprehensive review of our IT and security systems, and we remain dedicated to the protection and safety of our gaming community," it added.
According to Eoin Keary, CEO and founder of Edgescan, unsecured servers are not uncommon and this comes down to a lack of visibility and asset monitoring.One foundation of security is visibility, so it is essential to know what your estate looks like and what needs to be secured.
"With the cloud deployment model, systems can be spun-up and deployed in minutes, but they can also be easily forgotten about, leaving an organisation open to exposure. Organisations should implement continuous asset profiling & alerting, which is in real-time and non-stop, in order to detect rogue deployments and keep track of their assets.
"Luckly for VIP Games, the passwords were encrypted according to best practice. Bcrypt (with multiple rounds) is generally a good solution and would be pretty difficult to crack. However, from a GDPR standpoint they may not be as lucky. If the data exposed contains Personal Identifiable Information (PII), such as emails or social profiles, these could be used for phishing attacks, ransomware, malware and possibly blackmail depending on what is exposed," he added.